This vulnerability affects Oracle Identity Manager Connector 12.2.1.4.0 and permits an unauthenticated attacker with network access over HTTP to compromise the component, resulting in unauthorized access to critical or all accessible data. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact without integrity or availability impact. The vulnerability is difficult to exploit but can lead to significant data confidentiality breaches. Oracle has addressed this issue in its April 2026 Critical Patch Update, which includes patches for Fusion Middleware products including Oracle Identity Manager Connector.

Successful exploitation can lead to unauthorized access to critical data or complete access to all data accessible by the Oracle Identity Manager Connector. There is no impact on data integrity or availability. The vulnerability requires network access via HTTP and is considered difficult to exploit. No known active exploitation has been reported.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers are strongly advised to apply this update promptly to remediate the vulnerability. No alternative mitigations or workarounds are specified by Oracle. Patch status is confirmed as available via the official Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.